Can cyber security and IT have the same reports?

Essentially in cyber security you could be reporting on your bosses if you're under your IT. In CISSP and some of the other courses I have taken have said IT security should be under a different reports. How does your company handle that?

In my experience there is a mix. IT is cyber security to the users, and security is security to IT. Two different C levels.

Does that make sense?

I think you misunderstood.

Should the departments be separated? Should the CISO be a part of IT or compliance?

I'm pretty sure he said they should be part of compliance. That's the two different C levels. One C level is IT (CIO), the other C level is compliance/etc (possibly the CFO).

Compliance should never be under a totally arbitrary team like finance. Especially not finance. That's just as bad as being under IT. If finance is stealing money, and they are the most likely ones to do so, they'd control their own audits!